https://community.cisco.com/t5/network-security/cannot-ping-server-from-firewall/m-p/2918606#M157012 <P>Hi Mahesh,</P> <P>I believe your ping is reaching the firewall, because your log shows it is getting denied. That is a good sign that the ping is getting there.</P> <P>Do you have an access-list built allowing the two networks to talk to each other?</P> <P>"access-list MY-INSIDE-ACL extended permit ip object 10.68.49.x object 10.68.55.105"</P> <P>and</P> <P>Have you applied the access-list to your inside interface?</P> <P>"access-group MY-INSIDE-ACL in interface inside"</P> <P>Also, does your switch have IP Routing enabled? If the ping is getting to the firewall and you have a good access-list (running packet tracer can confirm this, as m.kafka suggests), perhaps the switch is not allowing the ping to return from the firewall?</P> Tue, 12 Jul 2016 20:48:08 GMT John Forester 2016-07-12T20:48:08Z https://community.cisco.com/t5/network-security/cannot-ping-server-from-firewall/m-p/2918603#M157009 <P>Hi Everyone,</P> <P></P> <P>Here is setup</P> <P></P> <P>ASA---inside interface-10.68.49.x-----------------------------------Switch--------------------------------server</P> <P></P> <P>ASA inside interface has default route which points to switch.</P> <P>From switch I can ping the server address 10.68.55.105</P> <P>I can ping the ASA inside interface IP from switch.</P> <P>But from ASA I can not ping it.</P> <P>when from server we try ping it does notwork</P> <P></P> <P>ASA-3-313001: Denied ICMP type=8, code=0 from 10.68.55.105 on interface inside</P> <P>Regards</P> <P>MAhesh</P> Tue, 12 Mar 2019 08:00:46 GMT https://community.cisco.com/t5/network-security/cannot-ping-server-from-firewall/m-p/2918603#M157009 mahesh18 2019-03-12T08:00:46Z https://community.cisco.com/t5/network-security/cannot-ping-server-from-firewall/m-p/2918604#M157010 <P>You are probably missing a route to 10.68.55.x network on your ASA! To tell more, please post your sh run int and sh run route</P> Tue, 12 Jul 2016 02:17:57 GMT https://community.cisco.com/t5/network-security/cannot-ping-server-from-firewall/m-p/2918604#M157010 Pavel Trinos 2016-07-12T02:17:57Z https://community.cisco.com/t5/network-security/cannot-ping-server-from-firewall/m-p/2918605#M157011 <P>Mahesh,</P> <P></P> <P>can you give a bit more details? Your setup looks unusual to me or I made wrong assumptions:</P> <P>What's the subnet mask and IP addresses for all devices? (I assume /24 should be on all interfaces).</P> <P>What's the output from packet tracer?</P> <P>313001 is explained here <A href="http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsgs.html#wp4771105" target="_blank">http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsgs.html#wp4771105</A> :</P> <PRE class="prettyprint"><SPAN class="pEM_ErrMsg"><SPAN class="cBoldNormal">Error Message&nbsp;&nbsp;&nbsp;</SPAN> %PIX|ASA-3-313001: Denied ICMP type=<EM class="cCi_CmdItalic">number</EM>, code=<EM class="cCi_CmdItalic">code</EM> from <EM class="cCi_CmdItalic">IP_address</EM> on interface <EM class="cCi_CmdItalic">interface_name </EM></SPAN></PRE> <P><SPAN class="content"><A name="wp4771108"></A></SPAN></P> <P class="pEE_ErrExp"><SPAN class="cBoldNormal">Explanation&nbsp;&nbsp;&nbsp;</SPAN> When using the <SPAN style="color: black; font-style: normal; font-weight: bold;">icmp</SPAN> command with an access list, if the first matched entry is a permit entry, the ICMP packet continues processing. If the first matched entry is a deny entry or an entry is not matched, the security appliance discards the ICMP packet and generates this syslog message. The <B class="cBold">icmp</B> command enables or disables pinging to an interface. With pinging disabled, the security appliance cannot be detected on the network. This feature is also referred to as configurable proxy pinging.</P> <P class="pEE_ErrExp">Maybe give us a running config with all sensitive information removed (like public IPs, usernames, passwords, even encrypted etc.)</P> <P class="pEE_ErrExp"></P> <P class="pEE_ErrExp">Rgds, MiKa</P> <P><SPAN class="content"></SPAN></P> Tue, 12 Jul 2016 20:14:40 GMT https://community.cisco.com/t5/network-security/cannot-ping-server-from-firewall/m-p/2918605#M157011 m.kafka 2016-07-12T20:14:40Z https://community.cisco.com/t5/network-security/cannot-ping-server-from-firewall/m-p/2918606#M157012 <P>Hi Mahesh,</P> <P>I believe your ping is reaching the firewall, because your log shows it is getting denied. That is a good sign that the ping is getting there.</P> <P>Do you have an access-list built allowing the two networks to talk to each other?</P> <P>"access-list MY-INSIDE-ACL extended permit ip object 10.68.49.x object 10.68.55.105"</P> <P>and</P> <P>Have you applied the access-list to your inside interface?</P> <P>"access-group MY-INSIDE-ACL in interface inside"</P> <P>Also, does your switch have IP Routing enabled? If the ping is getting to the firewall and you have a good access-list (running packet tracer can confirm this, as m.kafka suggests), perhaps the switch is not allowing the ping to return from the firewall?</P> Tue, 12 Jul 2016 20:48:08 GMT https://community.cisco.com/t5/network-security/cannot-ping-server-from-firewall/m-p/2918606#M157012 John Forester 2016-07-12T20:48:08Z https://community.cisco.com/t5/network-security/cannot-ping-server-from-firewall/m-p/2918607#M157013 <P>there was an access list on inside interface for ping traffic &nbsp;and when I added server subnet to it&nbsp; worked fine.</P> Tue, 12 Jul 2016 21:24:45 GMT https://community.cisco.com/t5/network-security/cannot-ping-server-from-firewall/m-p/2918607#M157013 mahesh18 2016-07-12T21:24:45Z